Solarwinds, Wirespeed & More | Learn how businesses rely on RL for file & Software Security
Customer Stories
The CISO Survival Guide: Operationalizing Third-Party Software Risk Management
Download Now
Your Go-To-Guide: Software Supply Chain Security for Dummies
Get the Guide
RL Blog
|

Bad Actors are Going to School on Sandboxes: Here's What to Do About It!

cover bad actors 7Just a few short years ago, dynamic file analysis (a.k.a. the sandbox) was all the rage. Detonating a file in a “safe” sandbox environment to learn “who it would call and what it would do” and use that critical intelligence to upgrade defenses, was deemed the latest must-have technology in cyber defense.

While there is no question that dynamic file analysis is a practical and useful tool, as time has gone on, the limitations of the technology have become apparent. It’s understandable that bad actors have gone to school on sandboxes to understand exactly how sandboxes work, what the weaknesses are and how to exploit those weaknesses.

Challenges

Let’s take a step back and look at some of the challenges security professionals are faced with when relying heavily on sandboxes.

1. Too many files to keep up with

Enterprises are inundated with a broad range of files that continue to grow in size and complexity, so totally depending on a sandbox environment is problematic. Sandboxes are time- and resource-intensive, requiring greater investments in compute power and other SOC resources as file volumes increase. Even then, sandboxes can quickly be overloaded, leading to processing delays, workflow bottlenecks, and the increased likelihood of dangerous malware getting into the network.

2. Sandboxes can be easily evaded

Cybercriminals know that most organizations utilize this technology and have found crafty ways to avoid detection. Techniques like delayed execution, evaluation of hardware and installed applications, analysis of mouse and keyboard interaction, along with other checks to identify if the malware is in a sandbox or a real user environment.

3. Limited coverage of files that a sandbox can analyze

Typically sandboxes are limited in the file types they support, which doesn't include many of the emerging file formats being used in sophisticated malware attacks. But it's not just that sandboxes are limited by certain file types, they're also constrained by file size, unable to process large files. That leaves a lot of files and objects not covered.

Solution

So it’s pretty clear that sandboxes have limitations that the bad guys are capitalizing on. The good news is that ReversingLabs' next-gen binary analysis can be your secret weapon to defend against advanced malware threats. Here are a few reasons why:

1. Effortlessly handle high volumes of files, including large, complex files

ReversingLabs' AI-driven, static binary analysis technology uncovers threats embedded at the deepest levels within files, without executing the file. Our high-speed analysis engine fully deconstructs and inspects binaries in only a few seconds, so high volumes of files can be expeditiously processed and classified.

2. Evasion, what evasion?

Since it’s pre-execution, sandbox evasion becomes a non-issue. Our proprietary analysis engine removes all packing and obfuscation from binary files to expose all internal objects and their metadata, regardless of file type or size. This metadata provides critical information, not available from other tools, for determining the intent and capabilities of a file. There's nowhere for malware to hide.

3. We’ve got you covered

With 4800 file formats supported, ReversingLabs enables organizations to expand analysis beyond executable content to bridge critical sandbox detection gaps and gain visibility to all unknown malware. The list of file formats supported by ReversingLabs includes:

  • Flash (all)
  • Windows DLL / drivers
  • Documents
  • Non-traditional archives
  • Firmware
  • Scripts
  • PE packers
  • Installers
  • Android, iOS
  • Linux, MacOS
  • Very large files
  • 4000+ format families
  • 400+ packer formats

What ReversingLabs' advanced malware analysis enables security teams to do

With ReversingLabs, security teams gain earlier detection and identification of threats. First, alert triage is significantly improved because analysts can get decisive threat classification and verdicts in real-time without having to wait for sandbox processing. Only files that require runtime analysis need to go to the sandbox, thereby dramatically improving efficiency.

Internal malware investigation teams greatly accelerate their analysis processes and have a better starting point. Not only do investigation teams get fast analysis, but also a deep contextual understanding of the malware. This allows them to create custom signatures and rules to proactively search for that malware and functionally similar malware variants internally, while enabling the quick upgrading of detection capabilities across endpoints and networks. 

For threat hunting teams, malware intelligence collected by the investigations teams and linked with the latest global threat intelligence provide excellent starting points for hunters. Locally stored malware context and advanced searching capabilities enable threat hunters to pivot across large sample sets and push out multiple hunting queries across the network, SIEM or data lakes. The result is faster, more efficient, and more effective threat hunting.

Learn more about RL Malware Analysis and Threat Hunting.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

    Special Reports

    The State of Software Supply Chain Security 2024